Posts

This week in Linux and OSS news, the 2018 Toyota Camry infotainment system is powered by Automotive Grade Linux, high severity Sudo vulnerability gets patched, and more! Read on to stay in the open source know. 

1) The 2018 Toyota Camry will come loaded with Automotive Grade Linux (AGL) and Entune 3.0.

Toyota’s Latest Infotainment System is Powered By Linux- Engadget

2) Linux and UNIX program Sudo has revealed a “high severity” vulnerability recently; Linux distros like Red Hat and Debian have pushed patches forward.

Patches Available For Linux Sudo Vulnerability- Threatpost

3) “[Containers and hypervisors] are beginning to merge,” writes Liam Proven. Here’s what that means for the enterprise.

The Linux Cloud Swap That Spells Trouble For Microsoft and VMware

4) Red Hat’s acquisition of Codenvy “will add additional cloud tools to enable developers to enhance their container-based and cloud applications.”

Red Hat Buying Cloud Development Tools Vendor Codenvy

5) Online-only supermarket Ocado recently announced Kubermesh, an open source package aimed at simplifying data center architectures for “smart factories.”

Open Source Solution For Smarter Warehouses- Huffington Post

This week in open source and Linux news, EdgeX Foundry is picking up attention among “cloud players,” recently published study finds many security issues in OSS & more! Keep reading, stay in the know.

1) Cloud players are getting serious about Edge Computing and efforts like EdgeX Foundry are a “step in the right direction.”

Linux Foundation Announces EdgeX Foundry To Drive Standardization of Edge Computing– Forbes

2) New study finds high number of ubiquitous open source security issues.

Open Source Security Audit ‘Should Be a Wake-Up Call’– ADT Magazine

3) New research comparing acceptance rates of contributions from men and women in an OSS community finds women’s contributions accepted more often than men’s — except when gender is identifiable.

Study Finds Gender Bias in Open-Source Programming– Phys.org

4) The latest version of Linux has been released under the moniker “Fearless Coyote.”

New Features and Fixes in Linux 4.11– SDTimes

5) New white paper by The Linux Foundation seeks to examine how [standards and open source] can live in harmony.

Linux Foundation Zeros in on Harmonizing Open Source, Standards– FierceWireless

There has been some public discussion in the last week regarding the decision by Open Source Security Inc. and the creators of the Grsecurity® patches for the Linux kernel to cease making these patches freely available to users who are not paid subscribers to their service. While we at the Core Infrastructure Initiative (CII) would have preferred them to keep these patches freely available, the decision is absolutely theirs to make.

From the point of view of the CII, we would much rather have security capabilities such as those offered by Grsecurity® in the main upstream kernel rather than available as a patch that needs to be applied by the user. That said, we fully understand that there is a lot of work involved in upstreaming extensive patches such as these and we will not criticise the Grsecurity® team for not doing so. Instead we will continue to support work to make the kernel as secure as possible.

CII exists to support work improving the security of critical open source components. In a Linux system a flaw in the kernel can open up the opportunity for security problems in any or all the components – so it is in some sense the most critical component we have. Unsurprisingly, we have always been keen to support work that will make this more secure and plan to do even more going forward.

Over the past few years the CII has been funding the Kernel Self Protection Project, the aim of which is to ensure that the kernel fails safely rather than just running safely. Many of the threads of this project were ported from the GPL-licensed code created by the PaX and Grsecurity® teams while others were inspired by some of their design work. This is exactly the way that open source development can both nurture and spread innovation. Below is a list of some of the kernel security projects that the CII has supported.

One of the larger kernel security projects that the CII has supported was the work performed by Emese Renfy on the plugin infrastructure for gcc. This architecture enables security improvements to be delivered in a modular way and Emese also worked on the constify, latent_entropy, structleak and initify plugins.

  • Constify automatically applies const to structures which consist of function pointer members.

  • The Latent Entropy plugin mitigates the problem of the kernel having too little entropy during and after boot for generating crypto keys. This plugin mixes random values into the latent_entropy global variable in functions marked by the __latent_entropy attribute. The value of this global variable is added to the kernel entropy pool to increase the entropy.

  • The Structleak plugin zero-initializes any structures that containing a  __user attribute. This can prevent some classes of information exposures. For example, the exposure of siginfo in CVE-2013-2141 would have been blocked by this plugin.

  • Initify extends the kernel mechanism to free up code and data memory that is only used during kernel or module initialization. This plugin will teach the compiler to find more such code and data that can be freed after initialization, thereby reducing memory usage. It also moves string constants used in initialization into their own sections so they can also be freed.

Another, current project that the CII is supporting is the work by David Windsor on HARDENED_ATOMIC and HARDENED_USERCOPY.

HARDENED_ATOMIC is a kernel self-protection mechanism that greatly helps with the prevention of use-after-free bugs. It is based off of work done by Kees Cook and the PaX Team. David has been adding new data types for reference counts and statistics so that these do not need to use the main atomic_t type.

The overall hardened usercopy feature is extensive, and has many sub-components. The main part David is working on is called slab cache whitelisting. Basically, hardened usercopy adds checks into the Linux kernel to make sure that whenever data is copied to/from userspace, buffer overflows do not occur.  It does this by verifying the size of the source and destination buffers, the location of these buffers in memory, and other checks.

One of the ways that it does this is to, by default, deny copying from kernel slabs, unless they are explicitly marked as being allowed to be copied.  Slabs are areas of memory that hold frequently used kernel objects.  These objects, by virtue of being frequently used, are allocated/freed many times.  Rather than calling the kernel allocator each time it needs a new object, it rather just takes one from a slab. Rather than freeing these objects, it returns them to the appropriate slab. Hardened usercopy, by default, will deny copying objects obtained from slabs. The work David is doing is to add the ability to mark slabs as being “copyable.”  This is called “whitelisting” a slab.

We also have two new projects starting, where we are working with a senior member of the kernel security team mentoring a younger developer. The first of these projects is under Julia Lawall, who is based at the Université Pierre-et-Marie-Curie in Paris and who is mentoring Bhumika Goyal, an Indian student who will travel to Paris for the three months of the project. Bhumika will be working on ‘constification’ – systematically ensuring that those values that should not change are defined as constants.

The second project is under Peter Senna Tschudin, who is based in Switzerland and is mentoring Gustavo Silva, from Mexico, who will be working on the issues found by running the Coverity static analysis tool over the kernel. Running a tool like Coverity over a very large body of code like the Linux kernel will produce a very large number of results. Many of these results may be false positives and many of the others will be very similar to each other. Peter and Gustavo intend to use the Semantic Patch Language (SmPL) to write patches which can be used to fix whole classes of issue detected by Coverity in order to more rapidly work through the long list. The goal here is to get the kernel source to a state where the static analysis scan yields very few warnings, which in turn means that as new code is added which causes a warning it will more prominently stand out, which will make the results of future analysis much more valuable.

The Kernel Self Protection Project keeps a list of projects that they believe would be beneficial to the security of the kernel. The team has been working through this list and if you are interested in helping to make the Linux kernel more secure then we encourage you to get involved. Sign up to the mailing lists, get involved in the discussions and if you are up for it then write some code. If you have specific security projects that you want to work on and you need some support in order to be able to do so then do get in touch with the CII. Supporting this sort of work is our job and we are standing by for your call!

This week in open source and Linux news, The Linux Foundation/OPNFV’s very own Heather Kirksey is recognized for her leadership as a finalist in Light Reading’s WiC awards, Ubuntu’s uncertainty grows, and more. Read on to say current in developing OSS stories!

1) The Linux Foundation/OPNFV’s Heather Kirksey is a finalist in Light Reading’s Women in Comms Leading Lights awards!

WiC Leading Lights: Meet the 2017 Finalists– Light Reading

2) Ubuntu’s week of surprising revelations and major shifts continues.

Ubuntu Linux Uncertainty Continues as Canonical CEO Walks Away– betanews

3) Keith Townsend makes a case for why you should follow Linux Foundation Projects PNDA, DPDK, and Open vSwitch.

3 Linux Foundation Networking Projects Your Business Needs to Know– TechRepublic

4) Carol Wilson continues a knowledge share from last week’s Open Networking Summit in Santa Clara, CA

5 More Key Takeaways From ONS– Light Reading

5) A new project will allow users to run Android apps on top of current Linux Distros.

Running Android Apps On Any Linux Distro Run PC/Laptop is Now Possible With Anbox– TechWorm

This week in open source and Linux news, Cloud Foundry releases its new certification program for developers, Google creates a new home-base for its open source initiatives, and more! Read on to stay in the open source loop!

1) Cloud Foundry launches “the world’s largest cloud-native developer certification initiative.”

Cloud Foundry Launches its Developer Certification Program– TechCrunch

2) Google has launched opensource.google.com

Google Builds New Home For Everything Open Source– CIO Dive

3) Hyperledger Executive Director Brian Behlendorf talks about the “possibilities blockchain offers for transparent, efficient and quickly executed transactions” in this interview.

Hyperledger Chief: Live Blockchain Solutions in Trade Finance This Year– Global Trade Review

4) AT&T continues long history of open source involvement with new Linux Foundation membership.

AT&T Takes Up Membership in The Linux Foundation, Furthers Open Source Efforts– Fierce Telecom

5) Attackers have been targeting developers present on GitHub since January.

Open-Source Developers Targeted in Sophisticated Malware Attack– PCWorld

This week in Linux and open source news, The Linux Foundation’s Hyperledger Project to help China get greener, an old Linux vulnerability surfaces, and more! Read on to stay in the OSS know!

1) IBM and Energy-Blockchain Labs announced a blockchain-based trading platform for “green assets” that’s based on Hyperledger.

How Blockchain Is Helping China Go Greener– Fox Business

2) “A Linux developer discovered a serious security hole that’s been hiding for years in an out-of-date driver.”

Old Linux Kernel Security Bug Bites– ZDNet

3) Gates’ Radiant Earth Project hopes to “encourage the creation of more open source technologies and innovation that can help ‘solve societies’ most pressing issues.'”

Bill Gates Has Started a New Crusade to Save the World– Fortune

4) Containerd to become a CNCF project

Docker and Core OS Plan to Donate Their Container Technologies to CNCF– CIO

5) “IBM’s public cloud will run Red Hat’s OpenStack and Ceph storage products”

IBM + Red Hat = An Open Source Hybrid Cloud– NetworkWorld

This week in open source news, SDxCentral calls The Linux Foundation crucial to the networking evolution, the cloud should be central in kickstarting your business, and more! Read on for more Linux and OSS headlines.

1) “With the importance of open source and SDN, virtual switches, and open software stacks, the Linux Foundation has become highly relevant to the next-gen data center networking evolution.”

Web Titans Have Big Influence on Data Center Networking Efforts– SDxCentral

2) The cloud can help developers achieve great success while keeping costs down. The Register delves into how startups, PaaS, and blockchain factor in.

How the Cloud Can Kickstart Your Business– The Register

3) Karl-Heinz Schneider claims that there are no good reasons to migrate back to Windows, after a back and forth city debate.

Munich IT Chief Slams City’s Decision to Dump Linux For Windows– The Inquirer

4) A dangerous flaw in the kernel allowed attackers to elevate their access rights and crash systems.

Another Years-Old Flaw Fixed in the Linux Kernel– BleepingComputer

5) “Dramatic changes in the use of open source require modifications to organizations’ application security strategies.”

Security in the Age of Open Source– DarkReading

This week in open source news, the massive Wikileaks document release prompts industry leaders to comment, Steven J. Vaughan-Nichols reviews the latest updates and features for Skype for Linux, and more! Keep reading to stay on top of this busy OSS news week!

1) CIA “Vault7” leaks involving weaponized exploits used against operating systems including Linux were likely the work of a “dissatisfied insider.”

C.I.A. Scrambles to Contain Damage From WikiLeaks Documents– The New York Times

Linux Foundation CTO Nicko Van Someren comments on Vault7, explaining that open source is more secure, thanks to continuous updates.

The Linux Foundation Responds to Wikileaks’ CIA Hacking Revelations– The Inquirer

2) Video conferencing has returned to Microsoft’s Skype for Linux.

What’s New in the Skype for Linux Beta– ZDNet

3) Microsoft backs  Qualcomm’s ARM server efforts and announces a partnership with chipmaker Cavium for using ARM-based data center chips.

Microsoft Partners With Qualcomm To Open Floodgates For ARM-Based Data Center– Forbes

4) Google implements emergency patching plan to repair a “pernicious” software vulnerability that infected thousands of 2015 OSS projects.

Google Leads ‘Guerilla Patching’ of Big Vulnerability in Open Source Projects

This week in open source news, CNCF adds gRPC to list of existing projects, making it the sixth, and other stories. Keep reading to stay on top of your news this week!

1) The Linux Foundation’s Cloud Native Computing Foundation (CNCF) announced it’s adding gRPC open source protocol to list of projects.

gRPC – The Protocol Of Microservices Joins The Cloud Native Computing Foundation– Forbes

2) Open source community changes “promise to accelerate the adoption of software-defined networks (SDN).”

Open-Source Networking Is Coming of Age– ChannelInsider

3) Skype continues to strengthen new Linux app “with a handful of new updates that mark its transition from alpha into beta.”

Skype’s Linux App Graduates to Beta With New Features Including Cross-Platform Video Chats, Calls to Mobile Numbers– VentureBeat

4) CentOS developer/maintainer announces “availability of an important Linux kernel security update for all users of the CentOS 5 operating system series.”

Important Linux Kernel Security Update Now Available for CentOS 5 Users– Softpedia

5) Johns Hopkins Cryptographer and Computer Scientist Matthew Green explains he’s happy to see any code come out of Google’s Gmail encryption work, but that it’s “hardly the email-encrypting plugin Google promised.”

After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor– WIRED

Start exploring Linux Security Fundamentals by downloading the free sample chapter today. DOWNLOAD NOW

In last week’s tutorial, we tried out tcpdump and wireshark, two of the most useful tools for troubleshooting what is happening as network traffic is transmitted and received on the system.

nmap is another essential tool for troubleshooting and discovering information about the network and services available in an environment. This is an active tool (in contrast to tcpdump and wireshark) which sends packets to remote systems in order to determine information about the applications running and services offered by those remote systems.

Be sure to inform the network security team as well as obtain written permission from the owners and admins of the systems which you will be scanning with the nmap tool. In many environments, active scanning is considered an intrusion attempt.

The information gleaned from running nmap can provide clues as to whether or not a firewall is active in between your system and the target. nmap also indicates what the target operating system might be, based on fingerprints of the replies received from the target systems. Banners from remote services that are running may also be displayed by the nmap utility.

Set up your system

Access to the Linux Foundation’s lab environment is only possible for those enrolled in the course. However, we’ve created a standalone lab for this tutorial series to run on any single machine or virtual machine which does not need the lab setup to be completed. The best results are obtained by using “bridging” rather than “NAT” in your virtualization manager. Consult the documentation for your virtualization type (i.e., Oracle VirtualBox, VMware Workstation, and others ) to verify or alter the networking connection type.  

Start the exercise

First, let’s install nmap on your Linux machine.

For Red Hat, Fedora and Suse machines:

$ sudo yum install nmap

For Debian and Ubuntu machines:

$ sudo apt-get install nmap  

Next, explore the nmap man page.

$ man nmap

For the best results, run nmap as root or use sudo with the nmap command.

Now, we will run nmap on the localhost:

# nmap localhost 

Increase the information nmap acquires:

# nmap -sS -PO -sV -O localhost

By adding the -A option to the nmap program, we can see the OS fingerprint detection capabilities of nmap:

# nmap -A localhost

A common usage for nmap is to perform a network ping scan; basically, ping all possible IP addresses in a subnet range in order to discover what IP addresses are currently in use. This is also sometimes referred to as network discovery.

# nmap -sP 192.168.0.0/24

Another interesting nmap command to find all the active IP address on a locally attached network:

#nmap  -T4 -sP 192.168.0.0/24 1>/dev/null  && grep -v “00:00:00:00:00:00” /proc/net/arp 

Addressing for nmap is very flexible DNS names can be used, IP addresses, IP ranges are all acceptable, consult the nam page for additional details.

We cover more uses for this tool later in the course. For now, have fun exploring the tool!

This concludes our six-part series on Linux Security Fundamentals. Download the entire sample chapter for the course or re-visit previous tutorials in this series, below.

Stay one step ahead of malicious hackers with The Linux Foundation’s Linux Security Fundamentals course. Download a sample chapter today!

Read the other articles in the series:

Linux Security Threats: The 7 Classes of Attackers

Linux Security Threats: Attack Sources and Types of Attacks

Linux Security Fundamentals Part 3: Risk Assessment / Trade-offs and Business Considerations

Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark